Brinztech Alert: Threat Actors Actively Buying KeyBank (ibx.key.com) Credentials for up to $500+

Dark Web News Analysis

A threat actor on a monitored cybercrime forum has posted a solicitation to purchase compromised user credentials (logs) specifically targeting KeyBank’s ibx.key.com portal. The actor is offering a sliding scale of payment, ranging from $10 to $500+ per valid log, depending on the account type and balance.

Brinztech Analysis:

• The Market Signal: In the cybercrime underground, a “Buying” listing is often more dangerous than a “Selling” listing. It indicates a capable attacker with a specific cash-out method (e.g., wire fraud capability) who is hungry for supply. They are effectively placing a bounty on KeyBank employees and customers.
• The Target (ibx.key.com): This specific subdomain often handles commercial or institutional banking traffic. The high offer price ($500+) strongly suggests the actor is looking for business accounts with higher limits and wire transfer capabilities, rather than standard retail checking accounts.
• The Source: These “logs” are typically harvested by Infostealer Malware (like RedLine, Lumma, or Vidar) infecting victim computers. The buyer is asking log owners to search their databases specifically for this URL.

Key Cybersecurity Insights

This solicitation creates a heightened risk environment for KeyBank and its corporate clients:

• Incentivized Targeting: By offering a high price ($500+), the threat actor encourages other criminals to specifically target KeyBank users with phishing or malware campaigns to fulfill the demand.
• Corporate Account Takeover (CATO): The pricing structure implies a tiered interest. Low-tier logs ($10) may be used for reconnaissance, while high-tier logs ($500) are likely destined for Wire Fraud or ACH Fraud.
• Session Hijacking Risk: “Logs” often contain not just passwords, but also Session Cookies. If the attacker purchases a fresh log with a valid cookie, they may be able to bypass Multi-Factor Authentication (MFA) by replaying the session, gaining immediate access to the account.

Mitigation Strategies

In response to this specific demand for credentials, organizations using KeyBank services must heighten their defenses:

• Credential Monitoring: Corporate security teams should actively monitor dark web “stealer log” markets. If a corporate email address appears in these logs, assume the employee’s device is infected and their KeyBank access is compromised.
• Strict MFA Enforcement: Ensure that MFA is enforced for every login attempt on ibx.key.com. Consider implementing “phishing-resistant” MFA (FIDO2/Hardware Keys) for users with wire transfer authority.
• Session Token Invalidation: KeyBank administrators (and client IT teams) should ensure that session lifetimes are short and that critical actions (like initiating a payment) trigger a fresh authentication challenge.
• Endpoint Hygiene: The root cause of these “logs” is malware on the user’s device. Ensure all endpoints accessing banking portals have updated EDR (Endpoint Detection and Response) solutions to block infostealers before they exfiltrate data.

Secure Your Business with Brinztech — Global Cybersecurity Solutions Brinztech protects organizations worldwide from evolving cyber threats. Whether you’re a startup or a global enterprise, our expert solutions keep your digital assets safe and your operations running smoothly.

Questions or Feedback? For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For general inquiries or to report this post, please email us: contact@brinztech.com